Analysis Overview
SHA256
b486ad7f522a6f07cb1e1862f34b152b75f3dba3f74df1c11c2078dc420644e8
Threat Level: Shows suspicious behavior
The file 3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-08 13:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 13:39
Reported
2024-06-08 13:42
Platform
win7-20240221-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\Intelproc8T\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8T\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJA\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\Intelproc8T\xbodsys.exe
C:\Intelproc8T\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 3a19cc2c5444129453ce78d37290025f |
| SHA1 | e7e4bd7dc21fce59e1570f493de54d1d2b2dcb22 |
| SHA256 | e5f92626999a4730dd4245be6db41eef5d7a17736fc362753fddac385e1a5b60 |
| SHA512 | 000fc827959fcbaa6e1aa4a91c24c3334fc6889c6848227580b9f26fec702eeda312eb559e8f0f0775d7b5515d5ea775894249e86fef07a298cd2be07ed38fd5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 98c5eb89b8a9157f251e248d86424942 |
| SHA1 | e96d33842000116555b1047af18eb616d26603b9 |
| SHA256 | a84062ee6124cfd7f4860ab7d95ee4edc064d84fe9dfc78bc10233af7798eaef |
| SHA512 | da020698e9e591ed71b6f04cde747c778ffeec1092ea104eac9e88a429b75819c27d210ee8a4311590dc9a5d8dbff46baa8d5afb4b6e0b2da3bed5a889f676f6 |
C:\Intelproc8T\xbodsys.exe
| MD5 | d7d76b74550c9bf5031c32436962fd3c |
| SHA1 | ec0d4e1be60990b4a854e6699fa045d20fac47b6 |
| SHA256 | b7af2fac0007e2baa7ac79a31b09801db9469635241226bbbe6f8d6527b1cdbb |
| SHA512 | 80f412eda70178ea61699a3cfcfc1213abcd0662fe17491c4ee992fa0150701280feb5c228f76fd833019794bd01cf0045aaf238df5e01d3c4327b830e19af2c |
C:\GalaxJA\optidevloc.exe
| MD5 | 238a872fb78f3771065d39f56c2e4690 |
| SHA1 | 49e2b3932be0cc3ebcdff852e92a1b2c03752477 |
| SHA256 | f83d8730801463a432d368b5ee49ee7eaa285df9cb1bf5e46c991bea75cf1b69 |
| SHA512 | 69baf1342cb0f9bd04acbf55c807f2845d2cd2fc3780d71696f79a4c3f3636506e8bf7b963dd7e5bedff126d1ffe92d114fba6d6e4b72906532cbcb23a688ba8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e29a0d8e01515ccdf896476b472ea5ed |
| SHA1 | 3df006f2b61ba7e21995b0406aa69aadf734e404 |
| SHA256 | be2e1e5a5171a0d5584939a159f42d0afc3a26e07e090f910323fc0cfa2822e1 |
| SHA512 | fe4de2da361da995a6fc30548ab0d8da0467c638d4503f9cf384360982029c4c383e75ccca550d4772e39effcedf83ee092a99f7230773a3605983966ac46e8f |
C:\GalaxJA\optidevloc.exe
| MD5 | 288c84a7e5508a8abad20daf89b125dd |
| SHA1 | 012f646c21cdced707fcaeee01e87707e01e6f5a |
| SHA256 | 938a641acbeb5e50138b912cbe51fab0ad65afdadbd6498c4e3fdb3dc2ee77fa |
| SHA512 | 82b7a252423ce9e207eba1ba43640e75d19bfd01b9a73d801e8570c49f94d9faee038324d80db46eb9ff904d3c8545cb8e3e463027c442d89c3f62f117b04eb9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 13:39
Reported
2024-06-08 13:42
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\SysDrvXZ\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXZ\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBMO\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3fc1c33983231a85fc3007f196ada650_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\SysDrvXZ\abodloc.exe
C:\SysDrvXZ\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | a999a7784f6fb347947a62e02c475a38 |
| SHA1 | 89f6864f2e0078f8f52bf9d3df6de6135199f4df |
| SHA256 | be6796a212b9f5f783b4258870445d69024f2b42ba14d17ceb6864da378cfe02 |
| SHA512 | 55d596b7ad96bc5a582cbd7c9926a43bc80c71ecb9c7260bd17759b1a58f6a335c8df3e61a8910ee76ec3562886c202aac7260d24f945aad1a0ed5410e3b5d4d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3f416435f135c6fa83492c189bf02838 |
| SHA1 | 666fe08d3a6fd91d40f9fdcc1f9881afa0a68c2e |
| SHA256 | 8f46d89c5d1d8a4dbb51f39d4808a22524d0f4a05446648e07ce55788ea1b663 |
| SHA512 | 930581fb5f1e9173d4f806c34d8bdc415e0a83f00b6738d3bd75cd995426b2580aa749f3688f383c1d88a9157fada78c1c2f1ee41bef5f2f3d2d69f1cc209c5c |
C:\SysDrvXZ\abodloc.exe
| MD5 | 39a4cbd161a59cf10827fccffbe497e9 |
| SHA1 | 4c01da01e3bc9431358ac83ccbf4b569c8694eae |
| SHA256 | 7cf45c981155d52dea03b2e73c65d861a46b24c5042a935c2bebabdc97d17548 |
| SHA512 | 028627265e7dfe861af5ca12a239b3df3f09bd7d1aabb725959074afb75b1ad10b8dee01e9b703b9ef55c2a07d62b46359d049595e896dcfebe1600604b6290d |
C:\SysDrvXZ\abodloc.exe
| MD5 | 3b374566bfbba0e08a6a6b40c7c757fa |
| SHA1 | 36a73bc782d791f04d53c7cd4668871cf69ff121 |
| SHA256 | 354613db3d4bf06909f37614af33569df31cf7184722788bcc272f327bc0169b |
| SHA512 | a930d3cd51e6333a598d7dc6fbdc9f57d054ce917b616e05ef09cdec522d92da1f4446a00d9e4adadd2d6e46e9a4e3bf10173c3a051525ae9068ec64f7e31947 |
C:\KaVBMO\optixec.exe
| MD5 | 566c66d9aba7cb8df60e8f1f69fc1a8b |
| SHA1 | 1ffb8a15d32790d767edc0d49ad6bc15f2f80f3d |
| SHA256 | ec523eddb03366ec9811b07457687a2e8ff7aa167ce92d5f6429a81911028919 |
| SHA512 | ec163ba4f622242cf4dc1a43dcb79ee5df89255a8abd292d56c9625fe791c36ed33366a0a6ebc0ba0276cda4856bdb7ca7c5b68ac389e20acf0ffd15ee72c909 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 44a511c0019e0b90541263155de0202e |
| SHA1 | 555715bc4c3e287180203b7134080d22d2ff9433 |
| SHA256 | a9a0d37efef19e6c40d99a12f3d2330dc579d75aa11ac1d5e8c40a83d87f6df6 |
| SHA512 | bb54db63e2bbe973f68cf24a8f18ad3ce702a4862af6764891552df8c005a94234bb0bc99d2d2c7fb7140d024a6b22d9419fe621beb71092033694c17ffcc521 |
C:\KaVBMO\optixec.exe
| MD5 | 91f25961fe256f34dcde59073d02e00e |
| SHA1 | 4b77395d9c3fee93e58cfa5b163f7588c695c790 |
| SHA256 | 817f17509713bba9ee9a0ee233a3410110d73924bc161c6a78b269ae5cbae948 |
| SHA512 | f704df994ca4d26e76d6d870efa7eb4383d92ad5ea8adda2d8311bcc97d15572024d6ef08f87b1d4993dc881dcfeef79b058b57a36ea249f1070031e3469c2c9 |